[PATCH] Avoid OOB access on illegal ZFS superblocks

[PATCH] Avoid OOB access on illegal ZFS superblocks

[Tobias Stoeckmann]

64 bit systems can trigger an out of boundary access while performing
a ZFS superblock probe.

This happens due to a possible integer overflow while calculating
the remaining available bytes. The variable is of type "int" and the
string length is allowed to be larger than INT_MAX, which means that
avail calculation can overflow, circumventing the "avail < 0" check and
therefore accessing memory outside the "buff" array later on.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
 libblkid/src/superblocks/zfs.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libblkid/src/superblocks/zfs.c b/libblkid/src/superblocks/zfs.c
index b6ffac5..c41f769 100644
--- a/libblkid/src/superblocks/zfs.c
+++ b/libblkid/src/superblocks/zfs.c
@@ -112,7 +112,7 @@ static void zfs_extract_guid_name(blkid_probe pr, loff_t offset)
 
 			nvs->nvs_type = be32_to_cpu(nvs->nvs_type);
 			nvs->nvs_strlen = be32_to_cpu(nvs->nvs_strlen);
-			if (nvs->nvs_strlen > UINT_MAX - sizeof(*nvs))
+			if (nvs->nvs_strlen > INT_MAX - sizeof(*nvs))
 				break;
 			avail -= nvs->nvs_strlen + sizeof(*nvs);
 			DBG(LOWPROBE, ul_debug("nvstring: type %u string %*s\n", nvs->nvs_type,
-- 
2.9.3

Re: [PATCH] Avoid OOB access on illegal ZFS superblocks

[Karel Zak]

On Sun, Aug 28, 2016 at 09:15:59PM +0200, Tobias Stoeckmann wrote:
>  libblkid/src/superblocks/zfs.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)

 Applied, thanks.

-- 
 Karel Zak  <kzak@redhat.com>
 http://karelzak.blogspot.com